Hi, I got little interest in my previous draft on using triple-DH authenticated key agreement for TLS 1.2. In case the reason was that everyone is focussed on TLS 1.3, I have now produced a new I-D which specifies how this same method would work for TLS 1.3. It is published at https://www.ietf.org/internet-drafts/draft-putman-tls13-preshared-dh-00.txt.
As part of this update, I have introduced support for anonymous clients and I have shown how this would support 0-RTT. The primary purpose of this method (for me) is to support TLS on constrained devices. However, the fact that it supports 0-RTT may make it of interest to the wider TLS community. The combination of anonymous clients and 0-RTT means that if a client is able to discover a server public key (e.g. through DNSSEC) then it is immediately able to send 0-RTT data without having had a previous session (i.e. without a session resumption ticket). The draft contains a table comparing triple-DH with other authentication methods. The comparisons are: Versus PSK (excluding session resumption): Advantages: A server breach does not permit client impersonation; hardware protection for the server key is possible; the client identity is confidential. Disadvantages: Public-key computation(s) are needed. Versus Raw Keys: Advantages: Supports 0-RTT messages; only one public-key algorithm is used; the handshake message exchange is shorter. Disadvantages: The keypair needed is different to that needed for PKI (disadvantage only if the server supports both). Versus Certificate Authentication: Advantages: Supports 0-RTT messages; only one public-key algorithm is used; no certificate parsing is needed; the handshake message exchange is much shorter. Disadvantages: Out-of-band public key distribution is needed (e.g. pre-provisioning, DNSSEC). Comments welcome. Tony Dyson Technology Limited, company number 01959090, Tetbury Hill, Malmesbury, SN16 0RP, UK. This message is intended solely for the addressee and may contain confidential information. If you have received this message in error, please immediately and permanently delete it, and do not use, copy or disclose the information contained in this message or in any attachment. Dyson may monitor email traffic data and content for security & training.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
